Curio
March 27th, 2005, 21:10 PM
I just been reading this article http://www.silentrunners.org/sr_cwsremoval.html over at the silent runners website. CWS has used a version of the HackerDefender rootkit in the past to stealth itself and that article describes a variant I haven't seen yet in the wild. It looks pretty much like they like the rootkit idea.
The hackerdefender infection I saw was pretty scary there was no sign of anything running in any standard tools but when you opened a program like Spybot, Adaware, Norton Antivirus ..etc it was killed within 5 seconds. This reminded me of the Beast trojan so I suspected a miscreant had infected this PC with something at a LAN party the owner had recently returned from. I loaded the PC with ProcessGuard and rebooted then checked through the PG log, it showed a service starting from system32 that I had never heard of. When I looked in system32 the file wasn't there. When I searched the registry there was no sign of the filename or any startup reference.
Being the curious type I rebooted with BartPE and looked in the system32 folder, a-ha! Now it was there, I scanned it with a virus scanner - nothing. I renamed it by removing the extension and tagging it on the front (exe.naughtyfile) and rebooted. Now we are talking I could see the entries in the registry and the service startup 'hxdef100'. Once again hooray for PG but if that service had loaded before PG or if it had been something injected into a legitimate file it would have been impossible to find. Even storing it as an ADS would have made it a nightmare to trace - boot from BartPE and run lads.exe on the system, it would be a wipe and reload.
So that's what they have done up to now - and holyfather does custom versions of hackerdefender which are undetected by any AV or Rootkit finders. I think I can guess what's coming next. Get the wipe and reload disks at the ready :eek:
The hackerdefender infection I saw was pretty scary there was no sign of anything running in any standard tools but when you opened a program like Spybot, Adaware, Norton Antivirus ..etc it was killed within 5 seconds. This reminded me of the Beast trojan so I suspected a miscreant had infected this PC with something at a LAN party the owner had recently returned from. I loaded the PC with ProcessGuard and rebooted then checked through the PG log, it showed a service starting from system32 that I had never heard of. When I looked in system32 the file wasn't there. When I searched the registry there was no sign of the filename or any startup reference.
Being the curious type I rebooted with BartPE and looked in the system32 folder, a-ha! Now it was there, I scanned it with a virus scanner - nothing. I renamed it by removing the extension and tagging it on the front (exe.naughtyfile) and rebooted. Now we are talking I could see the entries in the registry and the service startup 'hxdef100'. Once again hooray for PG but if that service had loaded before PG or if it had been something injected into a legitimate file it would have been impossible to find. Even storing it as an ADS would have made it a nightmare to trace - boot from BartPE and run lads.exe on the system, it would be a wipe and reload.
So that's what they have done up to now - and holyfather does custom versions of hackerdefender which are undetected by any AV or Rootkit finders. I think I can guess what's coming next. Get the wipe and reload disks at the ready :eek: